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(54) Abstract Title 

Network Intrusion detector which detects pre-attack probes or scans 

(57) A network intrusion detection system (IDS) employs a method which looks at network traffic data and 
determines for each address external to the monitored network the number of communications or attempted 
communications with an address allocated to the monitored network. If this number exceeds a threshold 
within a predetermined period of time this may be indicative of an attempt to probe or scan the network and 
therefore the external address is flagged as a potential security threat or source of attack. 

The system may also utilise a predetermined list of trusted external device addresses which the 
operator does not consider potential sources of attack and these addresses may be excluded from the method. 
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DETECTION OF AN ATTACK SUCH AS A PRE-ATTACK 
ON A COMPUTER NETWORK 



BACKGROUND OF THE INVENTION 

The present invention rdates to a method and apparatus for detection of an attack 
such as a pre-attack on a computer network by an unauthorised user. 

Security is important to the manner of a modem computer networic, be it a LAN 
(Local Area Network) or a WAN (Wide Area Network). Networks are usually 
attached to the Internet. Therefore, there is a constant risk that some maHcious person 
from outside of a network may attempt to obtain access to the network and use this 
access to disrupt normal network activity or gain access to private information. 

Many network managers use *fir«walls' (a device which filters traffic entering and 
leaving a computer network to protect it from malicious users) to protect their 
network from people outside the network. However, for many reasons firewalls are 
not suitable for aU types of networks, since they may restrict the ability of legitimate 
users to use the network and even where they are used, it is useful to have an 
additional level of security. We will describe a technique for detecting when someone 
from outside a network is attempting to access the network in an unauthorised way. 
The technique does not require a firewafl in order to operate, and thus can be used as a 
complement to existing firewalls. For users who do »ot tsi fiE^lU?, m method 
described ofiFers a way to try to detect unauthorised or malicious accesses to the 
network. 

All devices on a network are identified by an 'address' (eg an IP address). When a 
device wants to send data to another device, it typically marks the data with the 
destination address of the device it wants to conmiunicate with and then puts this data 
onto the network, where is it forwarded to the correct device based on the destination 
address. 
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When a malicious person wishes to attack a netwoiic, it is usual for them to carry out 
what is referred to as a '^pre-attack'' on the netwoilc, that is to try to identify addresses 
which identify actual devices within the network. It would be useful to be able to deal 
with this problem. 

5 

Thus the arrangement of the invention allows the network to identify such a pre- 
attack. 

SUMMARY OF THE INVENTION 

10 

The present invention provides a method for detecting a potential attack on a 
computer network comprising: 

determining, over a period of time, and for each device address outside the 
local network, the number of conmiunications or attempted communications with 
1 5 addresses vsdthin the local network, and where the number exceeds a predetermined 

number, identifying the external device address as a potential source of attack. 

The present invention also provides a computer program on a computer readable 
medium or embodied in a carrier wave comprising the following steps: 

from network traffic data which includes the source and destination addresses 
of traffic on the network, make a list E of all the addresses in the data which are not 
allocated to the local network and which are not in a list X; 
choose a first address in list E; 

count the number of data entries of the form (AB) where A is the address 
chosen from list E and B is any address allocated to the local network; 

if the number of such data entries is more than T, output address A; 
determine if there any entries in list E left to process; 
if yes, move on to the next address in list E and repeat preceding three steps; 
if no, stop. 

BRIEF DESCRIFnON OF THE DRAWINGS 
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A preferred embodiment of the invention will now be described by way of example 
only and with reference to the accompanying drawings in which: 

Figure 1 is a diagrammatic view of a network incorporating a preferred embodiment 
S of the imrention, and 

Figure 2 is a flow chart of the steps of the preferred embodiment of the invention. 

DESCRDPTION OF THE PREFERRED EMBODIMENTS 

10 A computer networic will usually have a network manager who may set up, and 
control a computer- network. The network manager will normally have his own 
network supervisor's workstation or computer. 

Referring to Figure 1 there is shown a network 10 comprisii^ a plurality of devices in 
15 the form of a network supervisor's workstation or compute* 1 1, other workstations 

12B • E, hubs 13A, 13B. and switch 14. The network is a simple network and is set 
out for purposes of illustration only. Other configurations and arrangements, may be 
used. 

20 The devices are connected together by means qf links 16A - H which may be hard 

wired and utilise any desired protocol, and link 16F which is a wireless link. 

The network supervisor's workstation includes, in addition to a visual display unit 18, 
a central processing unit or signal processor 19, a selector which may be in the form 
25 of a mouse 22, a program store 21 which may comprise, for example, a CD drive, a 

floppy disk drive or a zip drive, and a memory 17 for storing a program which may 
have been loaded from the program store 21 or downloaded for example via Internet 
from a website. 

30 In a preferred arrangement, the computer 1 1 may, on command from the selector 22, 
process signals from the memory 17 by the signal processor 19 and provide on the 
visual display unit 18 a network map showing each of the devices and the links 
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therebetween. In the examples shown, the network is simple but of course in many 
instances the network will be considerably more complex and it may be necessary to 
arrange that the visual display unit 18 only shows a simplified version or only part of 
the network at any one time. 

5 

In order to initialise a computer network, a network manager (or the installer) needs to 
assign addresses to all the devices on the network. Typically, the manager of a 
computer network will recdve an allocation of possible addresses for devices. The 
manager may assign any of these addresses to the devices that are actually attached to 
10 the network at his discretion. It is usual to have many more allocated addresses than 

devices on the network and typically only a small firaction of the allocated addresses 
are actually used by devices on the network. 

In order to access devices on a network, the malidous user needs to find out the 
15 addresses of the devices on the network that can be illicitly accessed. Since network 

managers usually try to protect their devices against malicious users, a malicious user 
may only be able to gain aecess to a small number of the devices on the network, or 
possibly no devices at all. 

20 In order to find out the addresses of devices that can be illicitly accessed, a user will 
typically perform a *pre-attack probe*. Since the rai^e of addresses aUocated to a 
particular network are public knowledge, a *pre-attack probe' involves using a 
program to test in turn every address within the range of addresses allocated to the 
network. For every address allocated to the network, the pre-attack program assumes 

25 that there is a device assigned to that address, and attempts to contact the device at the 

address to determine if the device is susceptible to illicit access. If there is a device 
allocated to that address, then the device will respond to the *pre-attack probe' and the 
malicious user can then attempt to access this device for his own illicit purposes. If 
there is no device allocated to the address, then there will be no response to the 'pre- 

30 attack probe'. 
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Since every device on the n^work must be using one of the allocated addresses, if 
allowed to continue access, in time the 'pre-attack probe' is certain to discover all the 
devices that are suscqmble to illicit access. 

5 So called 'Pre-attack probes' are a common precursor to other types of illicit network 
access. We will now describe a way to detect malicious users by d^ecting 'pre- 
attack probes* using information collected from the network. 

As is wdl known, the network manager will normally have installed on his 
10 workstation a pn^ram that enables him to understand the technical operation of the 
network Some of the devices within the network wiU be "managed" devices, that is 
devices which inchide a so called "agent" which collects and stores data relating to 
the operation of that device and the traffic passing through, to, or from it. The 
network manager's computer, using the relevant software, interrogates the agent of 
15 each device using a known protocol, such as SNMP (Simple Network Man^ement 
Protocol). 

A typical way of arranging this is to use a device called a RMON or RMON2 
(Remote Monitoring Specification) probe for coUecting data about the activity of 
20 devices on the network Such a device uses the SNMP to transfer RMON or RM0N2 
information to the network management computer. The RMON2 standard is defined 
in IETF RFC2021. The network manager's computer includes a store (memory) in 
which the traffic information is stored for a period of time (day. week, month). This 
historical information may be stored as a database. 

25 

This traffic mformation may be provided to the network manager in any convenient 
form such as a table or graphic on his VDU (Visual Display Unit). 

In accordance with the preferred of the arrangement, to detect 'pre-attack probes' on a 
30 particular network (which we will call the local network), data is required which 
m:prds the pattern of traffic on the netjwork ovec a, selected time interval. This data 
must record every pair of addresses A and B where a device using address A has 
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attempted to communicate with a device using address B during the time period. A 
highly suitable source of data would be the RMON2 probe (in RM0N2 either the 
alMatrix or nlMatrix tables could provide this information). 

5 The data must include eveiy communication between an address outside the local 

network and an address within the local network. Ideally, the data would also include 
attempts to communicate with addresses which are allocated to the local network but 
which have no device associated with them. This data is most sensibly coQected by 
monitoring traffic flowing between the local network and the outside world. 

10 

The data is collected by a network management computer over the course of a few 
minutes or hours and then the foQowing analysis is performed on the data by means of 
an algorithm (program), and the network manager alerted by the application if a ^pre- 
attack probe' is detected. This would often mean that the networic manager would be 
15 informed of the 'pre-attack probe* before the malicious user had a chance to do 

anything bad. This process is repeated continuously to provide constant monitoring 
for 'pre-attack probes.* 

The preferred method of the invention is carried out under the control of the network 
20 manager's work station or computer and in particular by means of a program 

controUii^ the process of that computer or elsewhere in the system. 

The program for controlling the operation of the invention may be provided on a 
computer readable medium, such as a CD, or a floppy disk, or a zip drive disk 
carrying the program or its equivalent, or may be provided on a computer or computer 
memory carrying the website of, for example, the supplier of the network products. 
The program may be downloaded from which ever appropriate source and used to 
control the processor to carry out the steps of the invention as described. 
For the purpose of explanation it is assumed that the traffic data is presented as a list 
E of address pairs of the form (A,B). An entry in the list E of (A,B) indicates that a 
d^vicQ with a4dr«^ A cpnuviiimc^tsd or attempted %p conmum^ with a d^ce with 
address B during the time interval which the data corresponds to. (There may. 
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however, be no device with address B). Although the precise representation of 
addresses in the list is not important, devices will usually be represented by IP 
address, since this is the form in which RM0N2 data is presented. If an RMON probe 
is used it normally provides the traffic data in the form of an 'nlMatiix' table of data. 
S The nIMatnx table records information about all conversations between devices, and 

stores them, using absolute counters, in a table which is ordered by network-layer 
protocol (e g. *IP') and source and destination addresses (i.e. IP addresses). An agent 
would record an entry in this table for every conversation which it has 'seen'. 

10 Typically, a row in the stored table would look like this: 





1; '^w^>MB$0i^> : 




Faekiets 


Bytes 













The 'packets* and 'bytes' columns represent how many packets and how many bytes 
have been seen en route, travelling from the source address to the destination address. 
1 5 The precise details of the table are given in the [RMON2 RFC]. 

The following is a simple example of how this RMON2 data could be used to form 
data into a list, which would be in a suitable fomf for the algorithm: 

^9 I - Qre^e an enipty list L. 

2. A program would read the entire nlMatrix table from a number of RM0N2 agents. 

3 . The program would wait for a predetermined period of time (e.g. 10 minutes). 

4. The program would read the entire nlMatrix tables from the same agents again. 

5. If the 'packets* count has changed on any row between step I and stqp 3, then an 
25 entry is added to list L containing (source address, destination address). 

6. Remove duplicate entries from list L. 

Thus list L contains a series of entries (A,B) which represent traffic flowing from A to 
B, as required by the algorithm. 
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There are a variety of other, more sophisticated techniques which could be used for 
generating data in the required fonn from RMON2 data. For example, the algorithm 
could use data that has been collected and stored in a historical database. 
The algorithm assumes that it is possible to determine if an address is allocated to the 
5 local network. There are multiple ways to achieve this, inchiding allowing the 
network manager to indicate which addresses are allocated to the network and/or 
discovering addresses of local devices using some automatic process referred to 
briefly above. 

10 In essence, the algorithm provides a method for determining a pre-attack on the 
computer networic compri^ng determining, over a period of time, and for each device 
address outside the local network, the number of conununxcations or attempted 
communications with devices within the local network, and where the number 
exceeds a predetennined number (T), providing an indication that the external device 

15 address is a potential source of pre-attack. This is the process at its simplest. 

However, other uses of the network may result in traffic patterns that resemble the 
traffic pattern of a 'pre-attack probe'. For this reason, the algorithm below provides a 
list of tmsted devices, called list X. This list is intended to contain a list of devices 
^ 20 which the network manager does not believe wiU ever be the source of a 'pre-attack 
probe' (for example, addresses in another network of the same company). The 
algorithm will never indicate that any trusted device from this list has performed a 
'pre-attack probe* and so the likelihood of a false alarm is reduced. 

25 The algorithm assumes the existence of a numerical threshold value T. T is the 

maximum number of devices on the local network that a legitimate device outside of 
the local network might access in the time period of data collected. The actual value 
used for T is based upon the length of time over which the data was collected and the 
size of the local network. Too low a value of T will make the algorithm produce 

30 *false alarms', while too high a value may mean that genuine 'pre-attack probes' are 

not detected. A value of T might be 10 - 100, typically 50. 
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The output of the algorithm is a list of addresses of devices that appear to have 
attempted a 'pre-attack probe* during the time interval of the data collected. 

The program may include an algorithm of the form set out in the Figure. 

5 

Thus the program may include the following steps:- 

program step 101, from network traffic data which includes the source and 
destination addresses of traffic on the network, make a list E of all the (source) 
addresses in the data which are not allocated to the local network and which are not in 
10 list X; 

program step 102, start with first address in list E (call it address A); 
program step 103, count the number of data entries of the form (AB) where A 
is the address chosen from list E and B is any address allocated to the local network; 

if the number of such data entries is more than T, in program step 104, output 
IS address A; 

are there any entries in list E left to process?; 
if no, stop; 

if yes, at program step 105 move on to the next address in list E (call it address 
A) and return to program step 103. 
20 r 

The addr^s or addresses outputted at step 104 will be pass«td to the network 
manner's computer and highlighted as the address(es) of a potential malicious person 
attempting to gain access to the computer and using a pre-attack technique. 

25 The preferred method of the invention is carried out under the control of the network 
manager's work station or compute and in particular by means of a program 
controlling the process of that computer or elsewhere in the system. 

The program for controlling the operation of the invention may be provided on a 
30 computer readable medium, such as a CD, or a floppy disk, or a zip drive disk 

carrying the program or its equivalent, or n>ay be provider! on a comjHiter or computer 
memory carrying the website of, for example, the supplier of the network piquets. 
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The program may be downloaded from which ever appropriate source and used to 
control the processor to carry out the steps of the invention as described. 

Note that the operation of the invention is not affected by the presence or absence of a 
firewall. 

It should be noted that the arrangement described uses historical data. In other words, 
traffic data is collected over a period of time and is then analysed subsequently. In 
this way patterns and relationships that build up over a course of time can be readily 
identified. If one were to try to carry out the same process in real time, and to 
maintain the dau for a short period of time, it can be difficult to establish patterns of 
use. Thus, for example, the pre-attack program might access a succession of 
addresses in the local network over the course of a period of time which may range 
fi'om minutes thrcHigh to an hour or two and by using historical data the relevant 
information can be readily accessed and analysed and becomes apparmt. 

We have described the method in terms of detecting an attack such as a pre-attack. 
However the same technique can be used to determine other forais of pattern of 
usage. 

The invention is not restricted to the detaib of the foregoing example. 
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CLAIMS 



1 . A method for detecting a potoittal attack on a computer netvrork comprising: 
detemuning, over a period of time, and for each device address outade the 

5 local network, the number of communications or attenq)ted communications with 

addresses within the local network, and where the number exceeds a predetwmined 
number, identifying the external device address as a potential source of attack. 

2. A method a claimed in claim 1 in which external device addresses on a 
10 predetermined list are not indicated as potential sources of attack. 

3. A method as claimed m daim 1 in y/bich only some of the addresses within 
the local area network are connected to devices. 

15 4. A method as claimed in daim 1 mchiding Ae steps of from network traffic 
data which includes the source and destination addresses of tra£Bc on the network, 
making a list of all of the addresses of said devices outade the local area network, 
and, starting with the first address in the list, counting the number of data entries 
which include A and B and which represent network traffic passing between a source 

20 address A chosen from the list and a destination address B allocated to the local 

network, and, if the number of such data entries is more than a predetermined number 
T, indicate that the address is a potential source of attack, and returning to the list and 
processing tite next address in the list until aU of the addresses in the Ust have been 
processed. 

25 

5. A mediod as daimed in claim 4 in which the network traffic data is historical. 

6. A metiiod as claimed in claim 5 in which the network traffic data is collected 
by an RMON probe. 

30 
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7. A method as claimed in claim 1 induding excluding from access to the local 
area network the or each external device address idaitified as a potential source of 
attack. 



5 8. A computer program on a computer readable medium for carrying out the 

method of claim L 

9. A computer program on a computer readable medium comprising the 
following steps: 

from network traffic data which includes the source and destination addresses 
of traffic on the network, make a list E of all the source addresses in the data which 
are not aDocated to the local network and which are not in a list X; 
choose a first address in list E; 

count the number of data mtries which include A and B and which represent 
network traflSc passing between a source address A chosen from list E and a 
de^nation address B allocated to the local network; 

if the number of such data entries is more than T, output address A; 
determine if there any entries in list E lefk to process; 

if yes, move on to the next address in list E and repeat preceding three steps; 
if no, stop. '■■■r 

10. A computer program embodied m a carrier wave for carrying out th« method 
of claim I. 

25 11. A computer program embodied in a carrier wave comprising the following 

steps: 

make a list E of all the addresses in the data which are not allocated to the 
local network and which are not in a list X; 

choose a first address in list E; 
30 count the number of data entries of the form (AB) where A is the address 

chosen from list E and B is any address allocated to the local network; 

if the number of such data entries is more than T, output address A; 
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if the number of such data entries is less than T, determine if th«re any entries 
in li^ E Idt to process; 

if yes, move on to the next address in list E and repeat preceding four steps; 

if no. stop. 
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